Open jaredfholgate opened 2 weeks ago
This issue is similar to https://github.com/Azure/terraform-provider-azapi/issues/491, but wanted to provide a specific example. This issue is impacting customers as azapi
adoption increases. The azurerm
provider does not have the same problem.
I believe MSI is the security recommendation nowadays @jaredfholgate but correct me if I'm wrong. If so, would there be a way in your eyes to be more resilient with MSI auth or do you think we need to explicitly require a user to enable MSI auth?
For deploy time secrets (as in this use case) the recommendation is OIDC (Workload identity federation). MSI is not recommended if you can use OIDC instead. But MSI is better than anything involving a secret.
With regards to az CLI, this can support OIDC, MSI and other types of auth. It is not just for user auth. Using az CLI is a good option as it has built in support for renewing OIDC creds. Unfortunately, the azurerm backend does not support az CLI for these scenarios, which is a real limitation at the moment.
To summarise, I don't believe we should be attempting MSI auth unless it is explicitly specified. The default should be az CLI as per the other providers and we should have first class support for OIDC and id token expiration renewal. Happy to discuss further around this and help explain, feel free to ping me on Teams.
Hi
Summary
When attempting to use az cli auth in Azure DevOps or GitHub with a Microsoft hosted agent, the provider erroneously attempts MSI auth and fails with the following error:
This is due to the fact that Microsoft-hosted agents are hosted in Azure and do have an MSI endpoint, but no associated identity.
The same would likely be true for self-hosted agents hosted in Azure with no managed identity attached.
How to Replicate
Replace the subscription GUID...
Pipeline:
Terraform:
Suggested Solution
Do not attempt MSI auth unless
use_msi
is explicity set totrue
.Workaround
Explicitly set the environment variables like this: